JUst in time access for domain admin access

Question

JUst in time access for domain admin access

SAGA 45

Hi I remember there was a feature which is like Just in time access to grant domain admin access or privilege access since 2016 onpremise AD. so this will add a attribute with TTL value and after that time it will revoke that access automatically. I have been searching the required blog but could not find one. Could you please share that information for the on-premise active directory. Require pre-requisites information and implementation process

0 comments

Answer accepted by question author

2 additional answers

Your answer

Answer 1

Good day SAGA

The TTL-based group membership feature isn’t “on” by default, even if your forest/domain functional level is 2016. You need to explicitly enable the Privileged Access Management (PAM) optional feature using:

Enable-ADOptionalFeature -Identity "Privileged Access Management Feature" -Scope ForestOrConfigurationSet -Target <YourForestName>

Once enabled, you’ll be able to use the -MemberTimeToLive parameter with Add-ADGroupMember. Without that, the command will throw the “parameter is incorrect” error you saw.

About the irreversible part: enabling this optional feature does extend the schema, and you can’t roll it back. That said, it’s a supported Microsoft feature, and it doesn’t break existing functionality. It simply adds the ability to assign temporary group memberships with TTL. The main consideration is making sure your forest is healthy and replication is solid before you flip the switch.

So yes, you do need to enable it, and while it’s irreversible, it’s safe , it won’t disrupt your current infra. It just unlocks the JIT capability you’re after.

If everything is okay, don't forget to share your experience with the issue by "Accept answer". If you need more information, feel free to leave a message. We are happy to help!

SAGA 45 Reputation points

2026-03-18T08:51:09.5133333+00:00

Thank you so Much for your time and appreciate it

Answer 2

HLBui 5,945 Independent Advisor

Hi SAGA

It is the Privileged Access Management (PAM) with Time-to-Live (TTL) attributes feature that was introduced in Windows Server 2016 Active Directory. It’s basically Microsoft’s way of giving “just-in-time” admin rights without leaving permanent elevated accounts hanging around. Instead of making someone a Domain Admin forever, you grant them the role with a TTL value, and once that timer expires, the attribute automatically clears and the elevated access is revoked. Super handy for reducing attack surface and meeting compliance requirements.

Pre-requisites you’ll need:

Your AD forest has to be at Windows Server 2016 functional level (both domain and forest).
You’ll need to set up a Privileged Access Management (PAM) environment, which usually involves a bastion forest (sometimes called a “shadow forest”) to manage these temporary privileges.
Proper replication and trust between your production forest and the PAM/bastion forest.

Implementation process at a high level:

Create the bastion forest and establish a one-way trust with your production forest.
Configure shadow principals (basically mirrored accounts/groups) in the bastion forest that map to your privileged groups in the production forest.
Use PowerShell or the PAM APIs to grant membership with a TTL. For example, you can run something like Add-ADGroupMember -Member <user> -Identity "Domain Admins" -MemberTimeToLive (New-TimeSpan -Minutes 30) to give someone Domain Admin rights for 30 minutes.
Once the TTL expires, AD automatically removes the user from the group no manual cleanup needed.

If this guidance proves helpful, feel free to click “Accept Answer” so we know we’re heading in the right direction and let me know if you need any assistance. Thank you!

SAGA 45 Reputation points

2026-03-17T12:38:02.8433333+00:00

Hi Do we need shadow forest mandatory? Cant we use this feature in the existing domain for example I have a parent domain xyz.com and child domain sales.xyz.com and purchase.xyz.com. FFL and DFL is 2016 . Goal is to reduce the domain admin /Administrators members and to enable JIT
HLBui 5,945 Reputation points Independent Advisor

2026-03-17T13:26:42.8366667+00:00

Hi SAGA

The shadow forest comes into play when you want the full Privileged Access Management (PAM) experience things like isolating privileged accounts, stronger separation of duties, and a hardened environment for managing elevated access. It’s more of a “best practice” for enterprises with strict compliance needs, but technically you can still achieve just-in-time access in your current forest setup.

For your scenario reducing Domain Admin/Administrators group members and enabling JIT you can simply use PowerShell with TTL. Example:

Add-ADGroupMember -Identity "Domain Admins" -Members <UserName> -MemberTimeToLive (New-TimeSpan -Minutes 30)

That way, the user gets elevated rights for 30 minutes, and AD automatically removes them afterward. No shadow forest required.

So bottom line: if you want the simplest path, stick with TTL in your existing domains. If you want the most secure and compliant setup, consider the bastion forest later. Either way, you’re on the right track to tightening up admin access.

If this clears things up, don’t forget to hit “Accept Answer” so others know it’s helpful
SAGA 45 Reputation points

2026-03-17T15:15:05.94+00:00

Thanks for the answer, One more question, Hope there is a need to extend the schema (feature enablement) and to use the command Add-ADGroupMember -Identity "Domain Admins" -Members <UserName> -MemberTimeToLive (New-TimeSpan -Minutes 30). Hope doing that will not impact anything and safe process to do.
HLBui 5,945 Reputation points Independent Advisor

2026-03-17T15:36:52.34+00:00

Hi SAGA

The command is perfectly safe it just adds the user to the group with a TTL value. After 30 minutes, AD automatically removes them. It doesn’t mess with existing memberships, doesn’t corrupt the group, and doesn’t require any manual cleanup. The only “impact” is that you’ll see the temporary membership in the group until the TTL expires.This is a great way to reduce standing admin accounts and move toward a just-in-time model without having to deploy a full PAM shadow forest. The shadow forest is more about isolation and compliance, but for your goal cutting down Domain Admin members, you can absolutely use TTL in your existing domains.

So bottom line: no extra schema extension needed beyond 2016 functional level, the process is safe, and it’s a solid way to tighten up your privileged access.
SAGA 45 Reputation points

2026-03-17T16:07:47.3233333+00:00

thanks for your response one last question. sorry I should have asked this clearly and its my mistake. If we run that command it says parameter is incorrect. So Do we need to enable the feature (enable-optionalfeature "privileged access management feature"). Running this will it create any issues in the infra as its irreversible so wanted to check this part.
SAGA 45 Reputation points

2026-03-18T05:40:46.5966667+00:00

thanks for your response one last question. sorry I should have asked this clearly and its my mistake. If we run that command it says parameter is incorrect. So Do we need to enable the feature (enable-optionalfeature "privileged access management feature"). Running this will it create any issues in the infra as its irreversible so wanted to check this part

Answer 3

The feature being described is Microsoft’s just-in-time (JIT) privileged access, implemented for on-premises Active Directory through Privileged Access Management (PAM) in Microsoft Identity Manager (MIM), and conceptually related to Just Enough Administration (JEA).

In this model:

Privileged access (for example, Domain Admin–equivalent rights) is granted only just-in-time and for a limited duration.
After the approved time window expires, the user is automatically removed from the privileged group, effectively revoking Domain Admin–level access.
This is implemented via a bastion forest and temporary group membership, not permanent standing membership.

Key points from the PAM/JIT model:

JIT and JEA principles
- PAM builds on just-in-time administration and Just Enough Administration (JEA).
- JEA defines a constrained PowerShell endpoint and command set for privileged tasks.
- An eligible user enables the needed permission for a specific task; the permission automatically expires after a specified time so that an attacker cannot reuse it.
How PAM is set up for JIT privileged access
PAM setup and operation follow four steps:
- Prepare: Identify highly privileged groups (for example, Domain Admins) in the existing forest and recreate corresponding groups without members in a bastion forest.
- Protect: Configure lifecycle and authentication protection (for example, MFA) for JIT requests.
- Operate: When a request is approved and authentication requirements are met, a user account is temporarily added to a privileged group in the bastion forest for a pre-set amount of time. During that window, the account has all privileges assigned to that group (including Domain Admin–level access if that is what the group represents). After the time expires, the account is automatically removed from the group.
- Monitor: PAM provides auditing, alerts, and reports of privileged access requests and activities, helping detect unauthorized or “inside” attacks such as direct additions to privileged groups in the original forest.
Behavior from the admin’s perspective
- An admin requests elevation (for example, to a group that confers Domain Admin–equivalent rights).
- PAM/MIM approves based on policy, adds the admin to the privileged group with a time-bound membership.
- The membership is effectively governed by a TTL-like concept: once the configured duration elapses, the system removes the membership automatically, so there is no standing Domain Admin access.
Why this is used
- Aligns with the “avoid standing access” principle: no permanent Domain Admin membership.
- Reduces risk from credential theft and malicious insiders, because elevated rights are available only for short, audited windows.

For Azure and Microsoft Entra ID, the same principle is implemented via Microsoft Entra Privileged Identity Management (PIM), which provides JIT role activation with automatic expiration, MFA, approval workflows, and auditing. For on-premises AD, the corresponding concept is MIM PAM with JIT group membership.

References:

Share via

JUst in time access for domain admin access

2 additional answers

Your answer